Networking Vendors Issue Heartbleed Fixes

The Heartbleed bug that came to light last week affected a huge swath of networking products, prompting vendors to issue alerts and updates.

Cisco on April 9 released a security advisory with a list of products affected by the OpenSSL vulnerability that included Nexus switches, Cisco IPS, and Teleprescence equipment.

A Cisco spokesperson said in an email to Network Computing Monday that the company is continuing to work on patches for some products, but that many more products are unaffected by Heartbleed or have already been remediated. He said customers should check back on the advisory for the latest updates.

Juniper also released a list of affected products, which included Junos OS 13.3R1 and certain versions of the company's SSL VPN. Nearly all of the products have been updated, a spokesperson said Monday.

"Every Juniper product affected by the Heartbleed vulnerability now has a fix available except for older versions of our Unified Access Control, which we expect to provide a patch for shortly. We continue to work closely with customers to help them update their systems," the spokesperson said in an email.

Networking expert Tom Hollingsworth of Gestalt IT said he knew vendors were trying to get patches out as quickly as possible, but wondered how many vendors didn't disclose they were using OpenSSL in their products.

Brian Monkman, perimeter security programs manager at ICSA Labs, wrote in a blog post Monday that while much of the focus in the wake of the Heartbleed bug has been on the hundreds of thousands of potentially vulnerable websites, less attention has been paid to potentially vulnerable network security products.

"To put this into perspective, ANY product that uses OpenSSL or one of its variants to create a secure connection is potentially at risk," he wrote. "This could mean, for example, a network firewall with an outward facing administrative interface that uses an HTTPS connection may be vulnerable, or a Web application firewall that has SSL termination functionality may also be vulnerable."

For an explanation of the overall impact of Heartbleed, check out this Dark Reading blog post by Tim Sapio, a security analyst at Bishop Fox, a security consulting firm.

Marcia Savage is the managing editor for Network Computing, and has been covering technology for 15 years. She has written and edited for CRN and spent several years covering information security for SC Magazine and TechTarget. Marcia began her journalism career in daily ... View Full Bio